chore(audit): ignore RUSTSEC-2025-0023 #2565

mxinden · 2025-04-07T10:22:57Z

RUSTSEC-2025-0023 discloses a vulnerability in Tokio: "Broadcast channel calls clone in parallel, but does not require Sync".

https://rustsec.org/advisories/RUSTSEC-2025-0023

Tokio is only used in neqo-bin. neqo-bin does not make use of Tokio's broadcast channels. neqo-bin is not used by Firefox.

All Tokio versions with a fix for RUSTSEC-2025-0023 require a libc version bump, i.e. require us to use a libc version other than what mozilla-central uses.

Thus, instead of updating Tokio, this commit simply ignores the CVE.

RUSTSEC-2025-0023 discloses a vulnerability in Tokio: "Broadcast channel calls clone in parallel, but does not require `Sync`". https://rustsec.org/advisories/RUSTSEC-2025-0023 Tokio is only used in neqo-bin. neqo-bin does not make use of Tokio's broadcast channels. neqo-bin is not used by Firefox. All Tokio versions with a fix for RUSTSEC-2025-0023 require a libc version bump, i.e. require us to use a libc version other than what mozilla-central uses. Thus, instead of updating Tokio, this commit simply ignores the CVE.

mxinden · 2025-04-07T10:37:51Z

CI failure due to #2422.

.deny.toml

github-actions · 2025-04-07T11:23:49Z

Failed Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

neqo-latest vs. go-x-net: ⚠️BP BA
neqo-latest vs. haproxy: ⚠️DC C20 M 3 B U L1 L2 C1 C2 BP BA
neqo-latest vs. kwik: ⚠️L1 C1
neqo-latest vs. lsquic: ⚠️L1 C1
neqo-latest vs. msquic: ⚠️Z A L1 C1
neqo-latest vs. mvfst: ⚠️A L1 C1 BA
neqo-latest vs. neqo: ⚠️A
neqo-latest vs. neqo-latest: ⚠️A
neqo-latest vs. nginx: ⚠️H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 BP BA
neqo-latest vs. ngtcp2: ⚠️CM
neqo-latest vs. picoquic: ⚠️A L1 C1
neqo-latest vs. quic-go: ⚠️A
neqo-latest vs. quiche: ⚠️C1 BP BA
neqo-latest vs. s2n-quic: ⚠️BA CM
neqo-latest vs. tquic: ⚠️S BP BA
neqo-latest vs. xquic: run cancelled after 20 min

neqo-latest as server

aioquic vs. neqo-latest: ⚠️C1 CM
go-x-net vs. neqo-latest: ⚠️CM
kwik vs. neqo-latest: ⚠️BP BA CM
lsquic vs. neqo-latest: ⚠️CM
msquic vs. neqo-latest: ⚠️Z U CM
mvfst vs. neqo-latest: ⚠️Z A L1 C1 CM
neqo vs. neqo-latest: ⚠️A
openssl vs. neqo-latest: ⚠️LR M A CM
quic-go vs. neqo-latest: ⚠️CM
quiche vs. neqo-latest: ⚠️CM
quinn vs. neqo-latest: ⚠️V2 CM
s2n-quic vs. neqo-latest: ⚠️CM
tquic vs. neqo-latest: ⚠️CM
xquic vs. neqo-latest: ⚠️M CM

All results

Succeeded Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

neqo-latest vs. aioquic: 🚀~~H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2 BP BA~~
neqo-latest vs. go-x-net: 🚀~~H DC LR M B U A L2 C2 6~~
neqo-latest vs. haproxy: 🚀~~H LR S R Z A 6 V2~~
neqo-latest vs. kwik: 🚀~~H DC LR C20 M S R Z 3 B U A L2 C2 6 V2 BP BA~~
neqo-latest vs. linuxquic: 🚀~~H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM~~
neqo-latest vs. lsquic: 🚀~~H DC LR C20 M S R Z 3 B U E A L2 C2 6 V2 BP BA~~
neqo-latest vs. msquic: 🚀~~H DC LR C20 M S R B U L2 C2 6 V2 BP BA~~
neqo-latest vs. mvfst: 🚀~~H DC LR M R Z 3 B U L2 C2 6 BP~~
neqo-latest vs. neqo: 🚀~~H DC LR C20 M S R Z 3 B U E L1 L2 C1 C2 6 V2 BP BA CM~~
neqo-latest vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U E L1 L2 C1 C2 6 V2 BP BA CM~~
neqo-latest vs. ngtcp2: 🚀~~H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA~~
neqo-latest vs. picoquic: 🚀~~H DC LR C20 M S R Z 3 B U E L2 C2 6 V2 BP BA~~
neqo-latest vs. quic-go: 🚀~~H DC LR C20 M S R Z 3 B U L1 L2 C1 C2 6 BP BA~~
neqo-latest vs. quiche: 🚀~~H DC LR C20 M S R Z 3 B U A L1 L2 C2 6~~
neqo-latest vs. quinn: 🚀~~H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 BP BA~~
neqo-latest vs. s2n-quic: 🚀~~H DC LR C20 M S R 3 B U E A L1 L2 C1 C2 6 BP~~
neqo-latest vs. tquic: 🚀~~H DC LR C20 M R Z 3 B U A L1 L2 C1 C2 6~~

neqo-latest as server

aioquic vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B A L1 L2 C2 6 V2 BP BA~~
chrome vs. neqo-latest: 🚀3
go-x-net vs. neqo-latest: 🚀~~H DC LR M B U A L2 C2 6 BP BA~~
kwik vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 V2~~
linuxquic vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM~~
lsquic vs. neqo-latest: 🚀~~H DC LR M S R 3 B E A L1 L2 C1 C2 6 V2 BP BA~~
msquic vs. neqo-latest: 🚀~~H DC LR C20 M S R B A L1 L2 C1 C2 6 V2 BP BA~~
mvfst vs. neqo-latest: 🚀~~H DC LR M 3 B L2 C2 6 BP BA~~
neqo vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U E L1 L2 C1 C2 6 V2 BP BA CM~~
ngtcp2 vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM~~
openssl vs. neqo-latest: 🚀~~H DC C20 S R 3 B L2 C2 6 BP BA~~
picoquic vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 V2 BP BA CM~~
quic-go vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U A L1 L2 C1 C2 6 BP BA~~
quiche vs. neqo-latest: 🚀~~H DC LR M S R Z 3 B A L1 L2 C1 C2 6 BP BA~~
quinn vs. neqo-latest: 🚀~~H DC LR C20 M S R Z 3 B U E A L1 L2 C1 C2 6 BP BA~~
s2n-quic vs. neqo-latest: 🚀~~H DC LR M S R 3 B E A L1 L2 C1 C2 6 BP BA~~
tquic vs. neqo-latest: 🚀~~H DC LR M S R Z 3 B A L1 L2 C1 C2 6 BP BA~~
xquic vs. neqo-latest: 🚀~~H DC LR C20 S R Z 3 B U A L1 L2 C1 C2 6 BP BA~~

Unsupported Interop Tests

QUIC Interop Runner, client vs. server

neqo-latest as client

neqo-latest vs. aioquic: E CM
neqo-latest vs. go-x-net: C20 S R Z 3 E L1 C1 V2 CM
neqo-latest vs. haproxy: E CM
neqo-latest vs. kwik: E CM
neqo-latest vs. lsquic: CM
neqo-latest vs. msquic: 3 E CM
neqo-latest vs. mvfst: C20 S E V2 CM
neqo-latest vs. nginx: E V2 CM
neqo-latest vs. picoquic: CM
neqo-latest vs. quic-go: E V2 CM
neqo-latest vs. quiche: E V2 CM
neqo-latest vs. quinn: V2 CM
neqo-latest vs. s2n-quic: Z V2
neqo-latest vs. tquic: E V2 CM

neqo-latest as server

aioquic vs. neqo-latest: U E
chrome vs. neqo-latest: H DC LR C20 M S R Z B U E A L1 L2 C1 C2 6 V2 BP BA CM
go-x-net vs. neqo-latest: C20 S R Z 3 E L1 C1 V2
kwik vs. neqo-latest: E
lsquic vs. neqo-latest: C20 Z U
msquic vs. neqo-latest: 3 E
mvfst vs. neqo-latest: C20 S R U E V2
openssl vs. neqo-latest: Z U E L1 C1 V2
quic-go vs. neqo-latest: E V2
quiche vs. neqo-latest: C20 U E V2
s2n-quic vs. neqo-latest: C20 Z U V2
tquic vs. neqo-latest: C20 U E V2
xquic vs. neqo-latest: E V2

mxinden requested review from KershawChang, martinthomson and larseggert as code owners April 7, 2025 10:22

mxinden mentioned this pull request Apr 7, 2025

chore: update tokio to v1.42.0 #2564

Closed

mxinden marked this pull request as draft April 7, 2025 10:24

mxinden force-pushed the ignore-cve branch from 6fc708c to c0455e8 Compare April 7, 2025 10:27

mxinden force-pushed the ignore-cve branch from c0455e8 to 05e6e64 Compare April 7, 2025 10:30

mxinden marked this pull request as ready for review April 7, 2025 10:32

larseggert reviewed Apr 7, 2025

View reviewed changes

.deny.toml Outdated Show resolved Hide resolved

mxinden added 2 commits April 7, 2025 12:55

Add FIXME to update once mozilla-central updates libc dep

54a781e

newline

34d1e43

larseggert approved these changes Apr 7, 2025

View reviewed changes

Fix comment

b5b21bc

mxinden enabled auto-merge April 7, 2025 12:30

mxinden added this pull request to the merge queue Apr 7, 2025

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 7, 2025

mxinden added this pull request to the merge queue Apr 7, 2025

Merged via the queue into mozilla:main with commit 782cf68 Apr 7, 2025
78 of 81 checks passed

mxinden deleted the ignore-cve branch April 7, 2025 13:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(audit): ignore RUSTSEC-2025-0023 #2565

chore(audit): ignore RUSTSEC-2025-0023 #2565

mxinden commented Apr 7, 2025

mxinden commented Apr 7, 2025

github-actions bot commented Apr 7, 2025 •

edited

Loading

Succeeded Interop Tests

neqo-latest as client

neqo-latest as server

Unsupported Interop Tests

neqo-latest as client

neqo-latest as server

chore(audit): ignore RUSTSEC-2025-0023 #2565

chore(audit): ignore RUSTSEC-2025-0023 #2565

Conversation

mxinden commented Apr 7, 2025

mxinden commented Apr 7, 2025

github-actions bot commented Apr 7, 2025 • edited Loading

Failed Interop Tests

neqo-latest as client

neqo-latest as server

Succeeded Interop Tests

neqo-latest as client

neqo-latest as server

Unsupported Interop Tests

neqo-latest as client

neqo-latest as server

github-actions bot commented Apr 7, 2025 •

edited

Loading